Guide for the S550 appliance Symantec Endpoint Detection ......The minimum SEPM version is 12.1 RU6...

Symantec™ Endpoint Detection and Response 4.5 InstallationGuide for the S550 appliance

Symantec™ Endpoint Detection and Response 4.5 Installation Guide for the S550

appliance

Table of Contents

Copyright statement............................................................................................................................ 4System Requirements..........................................................................................................................5

Symantec EDR version support for appliances........................................................................................................... 5Browser requirements for the EDR appliance console............................................................................................... 5System requirements for Symantec Endpoint Protection integration....................................................................... 5

Planning for installation...................................................................................................................... 7Pre-installation checklist for physical appliances........................................................................................................7Physical appliance installation worksheet.................................................................................................................... 8About operating roles, operating modes, and network connections.......................................................................11About selecting a network scanner............................................................................................................................. 13About network configurations and port connections................................................................................................13Where to place the appliance in your network for best results............................................................................... 15Required firewall ports.................................................................................................................................................. 19Proxy recommendations................................................................................................................................................23Symantec EDR platform support matrix......................................................................................................................23Obtaining a Symantec EDR license file and installing it...........................................................................................24

Installing the physical appliance......................................................................................................25S550 appliance installation workflow.......................................................................................................................... 25Connecting the cables on the S550 appliance........................................................................................................... 26Powering on the S550 appliance and verifying the LEDs......................................................................................... 27Configuring the serial terminal or terminal emulation software...............................................................................28Rack-mounting the S550 appliance............................................................................................................................. 28

Running bootstrap............................................................................................................................. 33Running bootstrap to configure the appliance...........................................................................................................33

Running the setup wizard.................................................................................................................35Running the setup wizard............................................................................................................................................. 35status_check command.................................................................................................................................................36

Post-installation tasks....................................................................................................................... 37Completing setup tasks.................................................................................................................................................37

Testing Symantec EDR for successful monitoring or blocking.................................................................................38Testing the appliance bypass mode......................................................................................................................... 38

Accessing the EDR appliance console........................................................................................................................39Appendix Materials............................................................................................................................ 40Appendix A: Ports, connectors, and indicators on the appliance................................................ 41

About appliance ports, connectors, and indicators...................................................................................................41

2


appliance

Appendix B: Hardward specifications..............................................................................................43Symantec S550 appliance specifications................................................................................................................. 43

Appendix C: Re-installing Symantec EDR onto the S550..............................................................45Re-installing Symantec EDR onto the 550 appliance from a USB stick or DVD......................................................45

3


appliance

Copyright statement

Copyright statement

Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.

Copyright ©2020 Broadcom. All Rights Reserved.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visitwww.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom doesnot assume any liability arising out of the application or use of this information, nor the application or use of any product orcircuit described herein, neither does it convey any license under its patent rights nor the rights of others.

4

http://www.broadcom.com


appliance

System Requirements

Symantec EDR version support for appliancesThe Symantec S550 appliance supports Symantec EDR 4.1 and later.

Browser requirements for the EDR appliance consoleBrowser requirements for the EDR appliance console lists the web browsers that are compatible with the EDR applianceconsole. JavaScript must be enabled in the browser and cookies must be allowed. The minimum resolution for viewing theEDR appliance console is 1280x1024.

Table 1: Browser requirements for the EDR appliance console

Browser Version

Microsoft Internet Explorer 11 or later

Note: Quick filters are not supported.

Mozilla Firefox 81.0 or later (64-bit)Google Chrome 85.0.4183.121 or later (64-bit)Microsoft Edge Version 85.0.564.63 or later (64-bit)Safari Not supportedOpera Not supported

System requirements for Symantec Endpoint Protection integrationSymantec Endpoint Protection version requirements

Symantec Endpoint Detection and Response can integrate with Symantec™ Endpoint Protection for enhancing eventinformation and providing Endpoint Communications Channel (ECC) functionality. Symantec EDR has certain versionrequirements based on various components of SEP.

The minimum SEPM version is 12.1 RU6 or later. Symantec EDR can connect to multiple SEP sites with one connectionper SEP site, up to a total of ten connections to SEPM hosts.

Symantec EDR can manage the client endpoints that run SEP version 12.1 RU 6 MP3 or later with full ECC functionality.However, clients must be running SEP 14 or later to take advantage of ECC 2.0 functionality.

Client endpoints that run versions earlier than SEP 12.1 RU5 are not supported. Some functionality is limited for theclients that run on versions between SEP 12.1 RU5 and 12.1 RU6 MP3. The Symantec EDR documentation describesany functionality limits based on the version of the SEP client.

Synapse log collector database requirements

SEPM 14.3 RU1 or later uses Microsoft SQL Express as its database for log collection. Symantec EDR can access thedatabase without any special host system requirements.

SEPM 14.3 MP1 or earlier supports either the MS SQL Server database or an embedded database. When SEPM usesan embedded database, Symantec EDR uses a log collector on the SEPM host. This log collector requires the SEPM hostto be running one of the following operating systems:

5


appliance

• Windows 7 (64-bit only)• Windows 8 (64-bit only)• Windows Server 2008• Windows Server 2012• Windows Server 2012 R2 or later (recommended)See the Symantec Endpoint Protection documentation for SEPM system requirements.

6


appliance

Planning for installation

Pre-installation checklist for physical appliancesPre-installation checklist lists the actions to complete and the information to have ready before you install a physicalappliance.

Table 2: Pre-installation checklist

Action/Item Description

Collect tools. Have the following items on hand:• #2 Phillips head screwdriver• 8mm wrench (or an adjustable wrench)• Equipment rack specific mounting hardware

(refer to your equipment rack guide for moreinformation)

• Marker pen (optional)• Mechanical lift (optional)• Slide rail kit

Ensure your environment has the required resources. Symantec EDR version support for appliancesSymantec EDR platform support matrix

Have a serial terminal local to the appliance. To perform the bootstrap, you'll need a serialterminal (computer). This computer can be aspecialized, standalone internal server or aWindows server that runs PUTTY. It can beconvenient if it provides remote access via RDP orHTTP. This computer also needs to be local to theappliance.Configuring the serial terminal or terminal emulationsoftware

Have Ethernet cables (up to four normal cables and two crossover cables)available.

The number and types of cables depends on yournetwork configuration and the number of LAN andWAN ports on the appliance. For example, to permitthe ethernet interfaces to negotiate 1000 Mbps,either cat5e or cat6 cables are required.You may need crossover cables for an Inlinedeployment.Crossover cables aren't required if one or bothdevices (switch, firewall) connected to the WANport and LAN port have automatic MDI/MDI-X.Where to place the appliance in your network forbest results

Open required ports on the firewall and other network devices. Make sure that the necessary ports are open onyour firewall and other network devices to allowtraffic from or to the Symantec EDR device. Forexample, HTTP 80 and HTTPS 443.Required firewall ports

7


appliance

Action/Item Description

Decide on the operating role and operating mode. The operating configuration roles are as follows:• All-in-one• Management platform• Network scannerAbout operating roles, operating modes, andnetwork connectionsAbout network configurations and port connections

Obtain the license file and make sure that the license file is accessible. Make sure you can browse to and select theSymantec license file from the computer you use torun the setup wizard.Obtaining a Symantec EDR license file andinstalling it

Complete the installation worksheet. Make all of the decisions that you'll need forinstallation before you start. Having this informationat hand ensures that the installation process runssmoothly and quickly.Physical Appliance Installation Worksheet

Physical appliance installation worksheetSymantec EDR recommends that you complete the Installation Worksheet fully prior to commencing installation. Providethis checklist to the administrators who will be performing the installation tasks. You should also retain a copy for yourrecords for archival and backup purposes.

Table 3: Set up serial terminal or terminal emulation software (S550 appliance only)

Configuration Description Value to input

Configure the terminalemulation software.

You must configure the terminal program to beable to run the bootstrap.

• Baud rate = 9600 bps• Parity = None• Flow control = None• Data bits = 8• Stop bits = 1

Configuring the serial terminal or terminal emulation software

Table 4: Bootstrap configuration (all physical appliances)


New password: A new, secure password for the console. Thispassword replaces the default password,symantec.

Provide this information to the administrator installing theappliance in a secure method.Ensure that the password is retained in a secure locationfor archival purposes.

Weak passwordTry another [y/n]?

Note: A password that is similar to a word inthe Dictionary, is too short, or not complexenough is less secure. Symantec EDR will askyou to confirm using a weak password.

________ yes________ no

8


appliance


Re-enter new password: Confirm the new password. Provide this information to the administrator installing theappliance in a secure method.Ensure that the password is retained in a secure locationfor archival purposes.

Select one of thefollowing appliance roles:1 = Managementplatform ..., 2 = Networkscanner ..., 3 = All-in-one ... []?

Specify the appliance's role.About operating roles, operating modes, andnetwork connections

_______ 1 - Management platform_______ 2- Network scanner_______ 3- All-in-one

Configure themanagement port. IPv4address []:

The static IP for the management port. For amanagement platform or all-in-one appliance,this IP address is used to access the EDRappliance console from a browser.

________.________.________.________

IPv4 netmask []: The network mask for the management portIPv4 address. ________.________.________.________

Gateway []: The IP address for the gateway (switchor router) that the appliance can use tocommunicate with the rest of your network.

________.________.________.________

Name server (IPv4) []: The IP address of a name server that theappliance can use to resolve IP addresses. ________.________.________.________

Configure anothernameserver? [y/n]

Yes add an additional name server or No touse only one name server. If yes, provide theIP address of a second name server.

________ yes________.________.________.________________ no

Network scanner role only:IP address of theManagement Platform:

The management port IP address of themanagement platform appliance that controlsthis scanner.

________.________.________.________

Management platform ornetwork scanner roles only:Communication Channelpassword:

A secure password to encryptcommunications between the managementplatform and all its network scanners.This password must be the same for themanagement platform and all networkscanners. It should be different from themanagement console password. Letters,numbers, periods, underscores, and hyphensare allowed, and the password can be up to50 characters.

Provide this information to the administrator installing theappliance in a secure method.Ensure that the password is retained in a secure locationfor archival purposes.

Management platform ornetwork scanner roles only:Re-enter CommunicationChannel password:

Confirm password. Provide this information to the administrator installing theappliance in a secure method.Ensure that the password is retained in a secure locationfor archival purposes.

Configure IPv4 staticroutes? [y/n]

Yes to configure an IPv4 static route or no toskip this configuration step.Static routes may be required. For example,use static routes to connect a networkscanner to its management platform.

________ yes________ no

Destination (CIDRallowed):Gateway:

If you choose to configure IPv4 static routes,provide a destination IP address and thegateway IP address.

________.________.________.________

9


appliance


Add another route? [y/n] Yes to configure an additional IPv4 staticroute. No to go to the next prompt.You can configure up to three IPv4 staticroutes in bootstrap. You can configureadditional static routes in the EDR applianceconsole.

________ yes (up to three supported)________.________.________.________________.________.________.________________.________.________.________________ no

What do you want to callthis device?

The name to identify this system in the EDRappliance console. Letters, numbers, spaces,periods, and hyphens are allowed, and thename can be up to 50 characters.

__________________________________

Set NTP server [] The IP address or FQDN of the NTP server.Setting an NTP server ensures that theappliance has an accurate time to indicatewhen detections occurred.

________.________.________.________

Running bootstrap to configure the appliance

Table 5: Setup wizard


Access EDR applianceconsole.

This is the static IP for the management portthat was specified during bootstrap. ________.________.________.________

Upload License You must upload a license before theSymantec EDR device is functional. Youcannot use Symantec EDR after initialinstallation without a license. No grace periodexists.

Symantec EDR license location:______________________________________

SMTP Settings Symantec strongly recommends that you specify the SMTP settings in the setup wizard. Doing so letsyou recover a lost password. Otherwise, you can check Skip adding SMTP server configuration andspecify the settings later in the EDR appliance console.

SMTP Server and Port The fully qualified domain name and portnumber of the secure mail server. ________.________.________.________

Appliance Email The email address where alerts, such as alicense expiration notification, are sent from. ___________________@_____________._____

Authorize If your mail server requires a secure logonto receive messages, type a user name andpassword that Symantec EDR can use toauthenticate with the mail server.

User name:_______________________________Password:Provide this information to the administrator installing theappliance in a secure method.Ensure that the password is retained in a secure locationfor archival purposes.

Create an Administrativeaccount

These are the login credentials for the initial administrator account. You need this logon to complete thesetup wizard.This administrator can create additional user accounts, including additional administrator accounts.

Logon name Initial administrator logon name _______________________________Display name The initial administrator's display name as it

appears in the EDR appliance console. _______________________________

User email address The initial administrator's email address fornotifications. ____________________@____________._____

10


appliance

Running the setup wizard

Installation worksheet completed by:

Name: _______________________________________ Date: _________________________

Provided to:

EDR Administrator: _____________________________ Date: _________________________

About operating roles, operating modes, and network connectionsYou configure each appliance for Symantec EDR with an operating role and an operating mode. Together, thesedetermine how the device is connected to your network and how it functions to protect your network and to report threats.

Operating roles | Operating modes and network connections

Operating roles

You can deploy the appliance as a management platform, network scanner, or all-in-one device. You assign the operatingrole when you run bootstrap on the appliance. These roles have the following functionality:

Management platform If two or more appliances are installed, one should be deployed in the Management platform role.A management platform hosts the EDR appliance console and displays incidents and endpoints at risk forall connected scanners. The management platform presents a comprehensive view of malicious activityon your network. The management platform also centralizes configuration, management, and reportingfunctions.The management platform does not scan network traffic.

Network scanner If two or more appliances are installed, all devices except the management platform should be deployedas network scanners. Each network scanner can monitor traffic on a different network and send its incidentdata to the management platform. Depending on the operating mode, the network scanner may blockmalicious traffic in real time.A network scanner does not have the EDR appliance console. You configure and manage the networkscanner from the management platform. Its incident data is consolidated with the incident data fromother network scanners and reported from the management platform. When your network expands,additional network scanners can be installed and connected to the management platform to protect thenew networks.

All-in-one If only one appliance is installed, it should be deployed in all-in-one mode. An all-in-one device performsthe functions of both the management platform and network scanner role.

NOTE

An all-in-one device cannot function as a management platform for network scanners. Only an appliance that isassigned the management platform role can manage a network scanner.

The roles you choose depend upon the throughput of network traffic. For small to medium-sized installations, you shouldhave one appliance running in the all-in-one role. For larger installations, you would install multiple appliances with oneacting in the management platform role and the remaining appliances acting as network scanners.


To change the operating role of an appliance after initial installation, you must reinstall the appliance software.

Operating modes and network connections

The operating mode controls how your network traffic is processed. It also affects how the appliance is physicallyconnected to your network.

11


appliance

Symantec EDR operating modes and network connections describes the Symantec EDR modes that are available forthe appliances and the network connections that are required for each role. You must assign a static IP address to eachSymantec EDR network connection.

Table 6: Symantec EDR operating modes and network connections

Mode Description Network connections required

Inline Block In Inline Block mode, network traffic passes through theappliance between the endpoints and the Internet. Any filedownloads, accessed websites, and traffic that are consideredmalicious are blocked. Only Inline Block mode provides real-time protection against threats.

1 Management2 WAN2 LAN

Inline Monitor In Inline Monitor mode, network traffic passes through theappliance between the endpoints and the Internet. Maliciousfiles, websites, and traffic are logged for visibility but are notblocked. Any threats that are found in Inline Monitor mode mustbe mitigated manually.Inline Monitor mode is often used as a test for systemperformance and to analyze potential behavior for blocking(from reports) before blocking is implemented. The physicalconnections for Inline Block and Inline Monitor modes areidentical, so no re-cabling is necessary when you switchbetween these modes.The physical appliance has two Inline interfaces in InlineMonitor mode.

1 Management2 WAN2 LAN

Bypass (Inlinemode failsafe)

• Installed out of the box:Standard NIC mode

• Configured for Inline deployment:Bypass mode

• Configured for Tap deployment:Standard NIC mode

• Reimaged (factory reset) after any previous deployment:Standard NIC mode

Same as Inline Block or Inline Monitor

Tap In Tap mode, the appliance connects to a Tap or Span port ona switch. The appliance monitors a copy of the traffic betweenthe endpoints and the Internet so monitoring incidents andlogging incidents do not affect network performance. Becausethe monitoring and logging engines work at different intervals,there may be a slight delay in detecting incidents. All threatsmust be mitigated manually.The appliance can monitor up to four monitor ports on separatenetworks in Tap mode.

1 Management1 Monitor connection for each networkmonitored

Managementplatform

In management platform mode, all communications andmanagement go through the management port. Since amanagement platform appliance does not scan, only themanagement connection is required.

1 Management

You choose the operating mode for an all-in-one device or network scanner from the EDR appliance console. Amanagement platform operates in management platform mode automatically.

About network configurations and port connections

Where to place the appliance in your network for best results

12


appliance

About selecting a network scannerThe following factors determine the number of recommended network scanners.

Hardware versus virtual Make this decision based on your current infrastructure. Users with extensive VMware investmentmight want to use virtual appliances. Users with little or no VMware investment should usehardware.Hardware solutions have bypass NICs, so on failure Symantec EDR continues to pass trafficwhen deployed inline. Therefore, real hardware is preferred for inline deployments.For more information, see the Installation Guide for your respective platform (physical or virtualappliance).

Available bandwidth The hardware solutions have higher throughput than virtual solutions.10 GB per port.See the Symantec Endpoint Detection and Response Sizing Guide for more information.

Total endpoints in the organization While each deployment varies, the physical appliance has a capacity of approximately 25Ksimultaneous connections. These numbers are for inline mode. In Tap mode, hardware cansupport approximately twice the number of connections as inline.

Symantec EDR features If the deployment is to use mostly network scanning, then a separate scanner and managementplatform deployment provides room to increase scanning capacity. In this case, the physicalappliance has more storage capacity and is suitable for the management platform. The numberof scanners would depend on the number of ingress and egress points in the network and theamount of traffic at those points.An all-in-one deployment needs to be able to handle all the traffic for the projected growth of theorganization for the lifetime of the appliance. If the deployment functions primarily as SymantecEDR: Endpoint, then select an all-in-one deployment.

About network configurations and port connectionsThe following table describes the ways to connect Symantec Endpoint Detection and Response to your network.

13


appliance

NOTE

Port connections vary by appliance model, version, and role.

Network configuration Description ConnectManagement to Connect WAN to Connect LAN to

Simple port span/tap This configurationmonitors the trafficbetween the endpointsand the Internet but doesnot block file transfersor websites. Internet-bound traffic is copiedto the switch port usingport mirroring that isconfigured on the switchitself.This configurationuses two monitor portsand one managementconnection. This setup iseasy and is useful as aninitial test of SymantecEDR.

Port on your LAN switch Connect Monitor1 tonetwork tap or port onyour LAN switch that isset to span mode

Not used

Port span/tap withmultiple monitor ports

This configurationuses two monitor portsand one managementconnection. Extra monitorports allow the sameappliance to connect tomultiple switches fromdifferent subnets. Thisconfiguration does notblock file transfers orwebsites.

Port on your LAN switch Connect Monitor1 tonetwork tap or port onyour LAN switch that isset to span mode

Connect Monitor2 tonetwork tap or port onyour LAN switch that isset to span mode

Simple inline You can block filetransfers and websitesusing this configuration.Inline configurationrequires more networkconnections than portspan/tap. Ideally, youshould deploy SymantecEDR inline between theclient and the firewall.If you use a proxy,you should connectthe appliance shouldbetween the client andthe proxy.

Port on your LAN switch Internet firewall LAN port Port on your LAN switch

14


appliance

Network configuration Description ConnectManagement to Connect WAN to Connect LAN to

Inline with two firewalls,two proxies, and twoappliances

You can connect twoappliances to twofirewalls as part of a high-availability environment.You can configure thefirewalls in active/activefailover or active/standbyfailover. Configure theappliances identicallyexcept for the networksettings. Both appliancesshould be connected tothe same managementplatform.

Port on your LAN switch Internet firewall LAN port Port on your LAN switch

Management platform In a managementplatform configuration, anappliance is configuredto manage otherappliances. Thisappliance does not scan,so it requires only amanagement connection.

Port on your LAN switch Not used Not used


Where to place the appliance in your network for best resultsThe placement of your appliance depends upon whether the appliance is a management platform, network scanner,or all-in-one device. The Symantec Endpoint Detection and Response appliance must be able to perform the followingdepending upon its role:

• Scan all network traffic coming into and out of the organization• Determine the source and destination of all traffic• Detect internal connection endpoints• Act as a network proxy for endpoints (if integrating with Symantec Endpoint Protection Manager)• Have a minimal affect on network performanceIf your architecture includes a demilitarized zone (DMZ) and you integrate Symantec EDR with Symantec EndpointProtection, don't place the following in the DMZ:

• Management platform appliance• All-in-one appliance• SEPDeploying the appliance between a proxy and firewall prevents Symantec EDR from detecting the IP address of thesource endpoint. So in this scenario, you must enable the X-Forwarded-For: header field. You might also need toconfigure your firewall to strip the X-Forwarded-For: header field.

Symantec EDR does not scan traffic between internal computers. The exception is when one of the computers is a proxyserver. The internal traffic that is routed to a proxy server is scanned because it is outbound network traffic.

If you want Symantec EDR to reach the Internet through a proxy server, you must treat the appliance as a trusted deviceand disable authentication. Symantec EDR does not support passing Basic Authentication credentials to the proxy.Symantec EDR supports Basic or Simple Password Authentication to the proxy.

15


appliance

You can use the management port for any of the following:

• To access the EDR appliance console.• For communication to Symantec's servers (e.g., LiveUpdate, cloud-based sandboxing, Insight, telemetry, etc.).• To facilitate communication to SEPM and endpoints for the endpoint proxy.The management network should not be open to the Internet as a whole. If you need access to the management networkfrom outside, a VPN or short-lived Remote Desktop connection is recommended.

In Inline mode, the management port must be on a different subnet from the Inline interface.

The following figures show examples of network configurations.

You might need crossover cables for Inline deployment if devices connected to WAN port and LAN port don't haveautomatic MDI/MDI-X configuration.

16


appliance

17


appliance

18


appliance

About network configurations and port connections

Required firewall portsDepending on your network layout, you may need to open some ports on your firewall and edit your firewall rules. Thesechanges let you access the important web addresses that are essential for Symantec Endpoint Detection and Responseoperations.

Symantec EDR web and IP addresses lists the web and IP addresses to which Symantec EDR requires access.

19


appliance

Table 7: Symantec EDR web and IP addresses

Web addresses/IP Address Protocol Port Description

• remotetunnel1.edrc.symantec.com• remotetunnel2.edrc.symantec.com• remotetunnel3.edrc.symantec.com• remotetunnel4.edrc.symantec.com• remotetunnel5.edrc.symantec.com

HTTPS 443 Permits Symantec Support remote access tothe Symantec EDR appliance.

https://api-gateway.symantec.com TCP 443 Accesses Symantec's Targeted AttackAnalytics service.

licensing.dmas.symantec.com TCP 443 Used to get the Cynic license.api.us.dmas.symantec.comapi.eu.dmas.symantec.com

TCP 443 Used to perform queries to the Cynic US andUK servers (required).

liveupdate.symantec.com TCP 80 Used to check for and download definitions forSymantec's detection technologies.

ratings-wrs.symantec.com TCP 443 Used to query Norton Safe Web server toidentify malicious websites.

stnd-avpg.crsi.symantec.comstnd-ipsg.crsi.symantec.com

TCP 443 Used to send detection telemetry to Symantec.

register.brightmail.com TCP 443 Used to register the appliance.swupdate.brightmail.com TCP 443 Used to check for and download new releases

of Symantec EDR.shasta-rrs.symantec.comshasta-mrs.symantec.com

TCP 443 Used to perform reputation lookups forWindows executable and APK installable files.

datafeedapi.symanteccloud.com TCP 443 Used to download Email Security.cloud andEDR: Roaming events.

stats.norton.com TCP 443 When telemetry is configured, used to sendstatistics telemetry to Symantec.

telemetry.symantec.com TCP 443 When telemetry is configured, used to send filetelemetry and to upload diagnostic packagesto Symantec.

EDR appliance console TCP 443 (inbound) or inthe range of 1024 to9997

Access to Symantec EDR public API.

https://sso1.edrc.symantec.com TCP 443 Used for SSO.

Symantec EDR ports and settings describes the ports that Symantec EDR uses for communications, content updates, andinteractions with Symantec.cloud detection services.

20


appliance

Table 8: Symantec EDR ports and settings

Service Protocol Port From To Description

Back up FTP; SSH 20 TCP, UDP21 TCP22 TCP, UDP

Managementplatform or all-in-one appliances

Configuredbackup storageserver(Internal traffic)

FTP server: FTP ports 20, 21SSH server: SSH port 22

Email notifications SMTP 25 TCP587 TCP

Managementplatform or all-in-one appliance

SMTP server(Internal traffic)

Communication with the SMTPserver.

Content updates HTTP 80 TCP All appliances Symantec(External traffic)

Virus and Vantage definitions,and other content thatLiveUpdate delivers .This port is required for properfunctioning of the product.

Statistics delivery HTTP 80 TCP All appliances Symantec(External traffic)

Sends the data to Symantecfor statistical and diagnosticpurposes.Private data is not sent overthis port.

(ECC) 2.0 HTTPSHTTP

44380

Managed SEPendpoints

Symantec EDR Communicates commands tothe endpoints.

ECC 1.0 HTTPS 8446 Symantec EDR SEPM Commands to SEPM.RRS/endpoint submissionsECC 2.0

HTTPSHTTP

4438080

SEP Symantec EDR The SEPM private cloud thatlets endpoints communicatewith Symantec EDR.

RRS/endpoint submissionsECC 1.0

HTTPSHTTPHTTP

443808443¹

SEP Symantec EDR The SEPM private cloud thatlets endpoints communicatewith Symantec EDR.

Symantec cloud detection,analysis, and correlationservices and telemetryservices

If endpointactivityrecorderenabledIf endpointactivityrecorderdisabled

443 TCP All appliances Symantec(External traffic)

Cloud service queries andtelemetry data exchanges .If the endpoint activity recorderis enabled SEP sendsconviction events directly toSymantec EDR.

Antivirus and intrusionprevention convictioninformation

HTTPS HTTP 8080 TCP orHTTPS 443 TCPHTTP 80 TCP orHTTPS 8443 TCP

SEP clients Symantec EDRmanagementplatform

Information about the files andthe network traffic that SEP detects.

Antivirus and intrusionprevention convictioninformation

HTTPSHTTP

443 TCP80

Symantec EDRmanagementplatform

Symantec(External traffic)

Information about files andthe network traffic that SEPdetects.

Product updates HTTPS 443 TCP All appliances Symantec(External traffic)

Finds and delivers newversions of Symantec EDR.

EDR appliance console HTTPS 443 TCP443 (inbound) or inthe range of 1024to 9997

Client connectingto manage anappliance

Managementplatform or all-in-one appliance(Internal traffic)

EDR appliance console accessfor an all-in-one appliance ormanagement platform.

21


appliance


EDR appliance console,network scanners, and all-in-one

SSH 22 Client connectingto manage anappliance

Managementplatform,scanner, or all-in-one appliance(Internal traffic)

Command-line access foran all-in-one appliance ormanagement platform.

Synapse SEPMconnection with MicrosoftSQL Server (optional)

JDBC 1433 TCP (default) Managementplatform or all-in-one appliance

SEPM MicrosoftSQL Server(Internal traffic)

Required if using the MicrosoftSQL Server for SEPM andSynapse.SEPM administrators canconfigure a different port forthis communication.

Communication channel(management platformand network scannerinstallations only)

AMQP 5671 TCP5672 TCP

Network scannerappliance

Managementplatform(Internal traffic)

Communications between themanagement platform andnetwork scanners.Not required for an all-in-oneinstallation. After the initialexchange on this port, thecommunication is secured.

Blocking page (Inline Blockmode only)

HTTP 8080 TCP Network scanner Protectedendpoints(Internal traffic)

Sends the blocking pagewhen content is blocked at anendpoint.Not required for Inline Monitoror Tap/Span modes.

Synapse SEPMconnection with EmbeddedDB (optional)Supported for SEPM 14.3MP1 and earlier.

HTTPS 8081 TCP (default) Managementplatform or all-in-one appliance

SEPM server(Internal traffic)

Required if using theembedded database forSynapse connection to SEPM.

Connection to SEPMdatabase


MS SQL Express

Synapse SEPMconnection with theSEPM web servicesRemote Management andMonitoring (RMM) service(optional)


SEPM Server Required if connecting to theSEPM server for executingmanagement operations.For example, adding orremoving items from theblacklist or placing an endpointunder quarantine.

Syslog Syslog TCP (preferred) orUDP port shouldbe the same asconfigured in theEDR applianceconsole for syslog

All appliances ConfiguredSyslog server(Internal orexternal trafficbased on yourenvironment)

If syslog is configured, thisconnection delivers logmessages to remote syslog.

EDR: EmailEDR: Roaming

HTTPS 443 TCP Managementplatform or all-in-one appliance

Symantec This connection lets SymantecEDR collect conviction eventsfrom EDR: Roaming andEDR: Email when SynapseCorrelation is enabled for eitherone of these services.

22


appliance


Active Directory LDAPS 636 Managementplatform or all-in-one appliance

Active Directoryserver

This connection allowsSymantec EDR to integratewith Active Directory for userauthentication.

Security Analytics link HTTPSTCP/UDP

443 Managementplatform or all-in-one appliance

SymantecSecurityAnalyticsappliance orvirtual appliance

This connection lets SymantecEDR integrate with SymantecSecurity Analytics to providea link on individual log eventsto navigate users to additionalinformation on related networkmotion.

¹ Port 8443 is only available if you were using this port on previous versions of Symantec EDR and have since updated. Ifyou are installing Symantec EDR for the first time, this port is not available.


Proxy recommendationsThe following are Symantec's proxy recommendations:

Network scanning Proxy deployment options are as follows:• Deploy Symantec EDR between the internal network and the proxy.

This deployment configuration is recommended.When customers deploy Symantec EDR between the internal network and the proxy, it givesSymantec EDR full visibility of endpoint information.You must deploy Symantec EDR when you are load balancing proxies between the internalnetwork and a farm of proxies. This information ensures Symantec EDR can failover to the proxy.In this scenario, the LAN port of the proxy is the good place to plug in Symantec EDR inline.

• Deploy Symantec EDR between the proxy and their firewall.When customers deploy Symantec EDR between the proxy and their firewall, customers mustenable to the X-forwarded-for feature on the proxy. The firewall must have the ability to strip outthe X-forwarded-for tag. Customers should see the documentation for their firewall for instructionsfor how to remove this tag. The disadvantage of this deployment is that it requires more effort toconfigure.

Management traffic fromSymantec EDR to Symantecback-end servers

This proxy traffic does not support SSL interception. If the proxy server has SSL interception enabled,customers must create a policy to let Symantec traffic bypass. Such a policy prevents the proxy frominspecting Symantec traffic, thereby reducing resource demands.

Symantec EDR platform support matrixUse the matrix below to verify that your current installation of Symantec EDR meets the system requirements to supportSymantec EDR's features.

23


appliance

Table 9: Platform support matrix

Platform Config Specs ECC 1.0ECC 2.0DefaultEvents¹

ECC 2.0All Events

Scanner OnlyThroughputTap Mode

Scanner OnlyThroughputInline Mode

S550 Defaultconfiguration

18 CoresMemory:192GBHard drive:4,158 GB

100,000endpoints

100,000endpoints

50,000endpoints

n/a n/a

¹ Process Launch and Process Terminate events disabled.

² Symantec does not recommend inline mode for the virtual appliance. When you deploy a virtual appliance in inline modeyou run a risk because there is no bypass ability.

Obtaining a Symantec EDR license file and installing itWhen you purchase Symantec EDR, Broadcom sends you a fulfillment confirmation "Welcome" email that includes yourserial number and a license key file attachment.If you did not receive a Broadcom Welcome letter or you cannot locate your license key file, click here to go to theBroadcom web site where you can access your license key file.

Save your license key file to a location that you can access from the EDR appliance console.

Install the license key file in EDR appliance console for product activation.

1. In the EDR appliance console, click Settings > Global.

2. Scroll down to the Licensing section and click Upload License.

3. In the Upload License dialog box, browse to and select the license file, and then click Upload.

The new license takes effect immediately, although it must be distributed to each of the scanners. If the previouslicense had expired, make sure that you enable scanning again on all scanner devices.

Related LinksSymantec to Broadcom Transition Guide - My Entitlements

24

https://www.broadcom.com/support/symantec/getting-started#on-premises-security-productshttps://ca-broadcom.wolkenservicedesk.com/external/article?articleId=145885&_ga=2.206883987.1048733966.1583761188-848804485.1572636998


appliance

Installing the physical appliance

S550 appliance installation workflow

Step Action Description

1 Complete all items in thepre-installation checklist.

Completing the pre-installation checklist ensures that you have everything youneed to install an appliance. It also ensures that you have completed all thetasks required before installation begins.Pre-installation checklist for physical appliancesPhysical Appliance Installation Worksheet

2 Install the appliance. Install the hardware in a rack and connect network cables and power cables.Connecting the cables

Note: The appliance's role (all-in-one, management platform, or networkscanner) and operating mode determine the cable connections and portmappings.

Note: About operating roles, operating modes, and network connections

Powering on the S550 appliance and verifying the LEDsConfiguring the serial terminal or terminal emulation softwareRack-mounting the appliance

3 Run bootstrap. Open the console and run the bootstrap.During bootstrap, you are prompted to provide appliance configurationinformation. Your Symantec EDR administrator provides you this information onthe Installation checklist.Running bootstrap to configure the appliance

4 Run the status_checkcommand.

Run the command status_check to determine if the network connectivity hasbeen set up properly. The command lists all of the items that are checked andthe status of whether each item is successful or not.status_check command

5 Run the setup wizard.Management platform orall-in-one appliances only.

The Symantec EDR setup wizard guides you through the mandatoryconfiguration steps of an all-in-one or management platform device. This setup includes uploading the product license and creating the first administratoraccount so that you can log on to the EDR appliance console.Running the setup wizard

6 Perform the post-installation tasks andconfigurations.For all configurationsexcept managementplatform.

After you exit the setup wizard, log on to the EDR appliance console. Performthe recommended tasks to start scanning traffic and collecting incident andevent data.Completing setup tasks

7 Test the appliance. Run the status_check command again to determine if configuration settingshave been correctly specified.Symantec has a test webpage, http://testatp.coe.org.uk, that contains a seriesof links. When you click on each of the links, you should see a correspondingincident in the database.In Inline Block mode, file downloads should be interrupted. You should also testwhether bypass mode works correctly.Testing Symantec EDR for successful monitoring or blockingTesting the appliance bypass mode

25

http://testatp.coe.org.uk


appliance

Connecting the cables on the S550 appliance

Make sure the appliance is on a flat, level surface. If you would rather rack-mount the appliance first, first go to thefollowing link:Rack-mounting the applianceNetwork cables are not included with the appliance. Make sure to use only straight-through Ethernet cables. Category 6Acables are recommended for Ethernet operation.

The following procedure describes a typical endpoint deployment for Symantec EDR appliances (see the illustrationbelow).

1. Connect the RJ45 end of the included serial cable to the appliance’s real panel RJ45 serial port and connect the otherDB9 end of the cable to the serial terminal or workstation with terminal emulation software.

The serial connection is necessary to perform the appliance’s initial configuration.

2. Connect an Ethernet cable to the RJ45 eth0 port labeled 0:0 and connect the other end to the management networkswitch.

3. Connect the included AC power cords to the appliance’s power inlets and connect the other ends to a power source.

If you are only using the endpoint communication channel (ECC) features or the host is a Management Platform, nofurther steps are required to connect cables. Proceed to the following topic:

26


appliance

Powering on the S550 appliance and verifying the LEDs

If you are using copper ports, continue to step 4.

4. Do one of the following:

• Inline Block or Inline Monitor mode:Connect port 2:0 to the server that hosts the firewall. Optionally, you can also connect port 2:2 to another upstreamfirewall host.

• Tap mode:Connect either of these ports to a Tap/Span port on a switch or router.

5. Do one of the following:

• Inline Block or Inline Monitor mode:Connect port 2:1 to the corporate LAN. Optionally, you can also connect port 2:3 to the corporate LAN.

• Tap mode:Connect either of these ports to a Tap/Span port on a switch or router.

Table 10: Port to function summary

0:0 Management port2:0 WAN1 port2:1 LAN1 port2:2 WAN2 port2:3 LAN2 port


Table 11: Front panel LEDs colors states

Front panel LED Color state

Power LED • BlackPowered off or no power present.

• AmberPowered on and booting up.

• Blinking greenPower switch off, but power present.

• GreenPowered on.

Sys Status LED • BlackPowered off or no power present.

1. Confirm the appliance’s power cords are securely connected to a power source.

2. If the appliance does not automatically power on, press the rear soft power switch.

NOTE

The state of the appliance’s soft power switch (on or off) is retained when power is removed. This maynecessitate pressing the power switch when reapplying power to the appliance.

27


appliance

3. Verify the following as the appliance boots up:

• The Power LED turns amber.• Near the end of the boot cycle, the Power LED alternates between amber and green, which indicates the appliance

is in unconfigured state.• After you configure the appliance, the Power LED is green.


Configuring the serial terminal or terminal emulation software1. Confirm the appliance’s rear panel RJ45 serial port is connected to a serial terminal or workstation with terminal

emulation software.

2. Open a terminal emulation program, such as Microsoft HyperTerminal ® , PuTTY, Tera Term, or ProComm ™ .

3. Configure the terminal emulation software to use the following settings:

Baud rate 9600 bpsParity NoneFlow control NoneData bits 8Stop bits 1

Rack-mounting the S550 applianceThis topic describes how to install the appliance in a four-post equipment rack.

CAUTION Before rack-mounting the appliance:• Power off the appliance and disconnect all cables.• Verify that the weight of the system does not exceed the rack's fully populated weight limit.

For more information, refer to the manufacturer's instructions included with the rack.• For weight stability, load the rack from the bottom up.• Read the "Rack Mount Warnings" section of the Safety and Compliance Guide.• Take adequate safety and grounding measures to avoid creating an electrical shock hazard and to prevent bodily

injury.• The appliance is very heavy! A two-person lift or mechanical aid is recommended to lift the appliance from the

carton and install it in the rack.• Do not place objects on the appliance or use it as a work surface. Its mounting hardware does not support

additional weight.

The slide-rail mounting kit included with the Symantec EDR appliance allows it to be rack-mounted in a two- or four-postequipment rack. The kit provides tool-less racking for 4-post racks and lets you install or remove the appliance from thefront of the rack.

The slide-rail kit includes the following parts:

28


appliance

• (2) Inner chassis rails• (2) Outer rack rails• (1) Kit for two-post mounting configurations1. Disassemble the two side-rail assemblies by fully extending each side rail and sliding out the inner chassis rails.

2. Attach the two inner rails to the appliance. Align each rail to the mounting posts on each side of the chassis and slidethe rails toward the front of the chassis until the mounting posts snap into place.

29


appliance

3. Attach the rack rails to the rack. Insert the front of each rail in the rack while opening and then releasing the front latch.Repeat to attach the rear of the rails, extending or retracting the rails as necessary so they fit. Verify the rack rails areinstalled at the same rack height.

30


appliance

4. Install the appliance in the rack. Align the inner rails (attached to the appliance) with the slide-rails in the rack andslide the appliance gently all the way into the rack until it clicks and locks in place. The appliance can be installed fromeither the front or rear of the rack.

31


appliance

5. Optionally, to extend the appliance from the rack:a) Press the blue rack levers up to disengage the slide rail safety locks.b) While continuing to press the levers, gently pull or push the appliance so it extends out the front or rear of the rack.

c) Remove pressure from the levers immediately so the rail safety locks engage in the fully-extended out position.Take care not to push or pull too far, especially while pressing the blue levers. Doing so could cause the applianceto fall from the rack.

d) While continuing to press the levers, carefully slide the appliance out the front or rear of the rack. Make sure to usetwo persons or a mechanical aid to lift the appliance from the rack.

6. Reconnect the cables and verify the appliance is functioning.

Connecting the cables


32


appliance

Running bootstrap

Running bootstrap to configure the applianceYou'll need to open the console window to run bootstrap.

During bootstrap, you are prompted to provide appliance configuration information. Your Symantec EDR administratorprovides you this information on the Installation worksheet.

When bootstrap is complete, the system restarts.

You can re-run bootstrap (for example, to change certain IP addresses) after initial installation from the CLI using thebootstrap command. You cannot re-run bootstrap to change the operating role of the appliance.

1. In the console window at the login prompt, log in as follows:

User name = admin

Password = symantec

Bootstrap begins automatically when you are logged on for the first time before configuration.

Once you complete configuration, you can run bootstrap again using the bootstrap CLI command.

2. For each prompt, type a response and then press Enter to specify the required information.

The following table describes the bootstrap prompts:

New password: Type a new, secure password for the console. This passwordreplaces the default password, symantec.

Weak passwordTry another [y/n]?

A password that is similar to a word in the Dictionary, is tooshort, or not complex enough is less secure. Type y todelete the new password and be prompted to try again. Typen to keep the new password you previously entered.

Re-enter new password: To confirm the new password, type it again and pressEnter. If the two passwords do not match, you areprompted to type and retype the password again.

Select one of the following appliance roles:1 = Management platform ..., 2 = Network scanner ..., 3 = All-in-one ... []?

Type the number that corresponds to the role for thisappliance. The prompt describes each of the roles available.

Configure the management port. IPv4 address []: Type a static IP for the management port. For a managementplatform or all-in-one appliance, this IP address is used toaccess the EDR appliance console from a browser.

IPv4 netmask []: Type the network mask for the management port IPv4address.

Gateway []: Type the IP address for the gateway (switch or router) thatthe appliance can use to communicate with the rest of yournetwork.

33


appliance

Name server (IPv4) []: Type the IP address of a name server that the appliance canuse to resolve IP addresses.

Configure another nameserver? [y/n] Type y to add an additional name server or n to use onlyone name server. If you type y, you are prompted to type theIP address of a second name server.

Network scanner role only:IP address of the Management Platform:

Type the management port IP address of the managementplatform appliance that controls this scanner.

Management platform or network scanner roles only:Communication Channel password:

Type a secure password to encrypt communications betweenthe management platform and all its network scanners. Thispassword must be the same for the management platformand all network scanners. It should be different from themanagement console password. Letters, numbers, periods,underscores, and hyphens are allowed, and the passwordcan be up to 50 characters.

Management platform or network scanner roles only: Re-enterCommunication Channel password:

To confirm the communication channel password, type itagain and press Enter. If the two passwords do not match,you are prompted to type and retype the password again.

Configure IPv4 static routes? [y/n] Type y to configure an IPv4 static route or n to skip thisconfiguration step. Static routes may be required. Forexample, use static routes to connect a network scanner to itsmanagement platform.

Destination (CIDR allowed):Gateway:

If you choose to configure IPv4 static routes, you areprompted to type the destination IP address and the gatewayIP address.

Add another route? [y/n] After you configure an IPv4 static route, type y in responseto this prompt to configure an additional IPv4 static route.Type n to go to the next prompt.You can configure up to three IPv4 static routes in bootstrap.You can configure additional static routes in the EDRappliance console.

What do you want to call this device? Type a name to identify this system in the EDR applianceconsole. Letters, numbers, spaces, periods, and hyphens areallowed, and the name can be up to 50 characters.

Set NTP server [] Type the IP address or FQDN of the NTP server.Setting an NTP server ensures that the appliance has anaccurate time to indicate when detections occurred.

3. When configuration is complete, the console displays the settings that you configured and then prompts Savechanges? [y/n]. Type y to save the configuration or n to reject it and make changes.

If you type n, bootstrap restarts from the beginning. Most prompts display the previous value you entered. Press Enterto accept the previous value (if present), or type a new value to correct the entry.

34


appliance

Running the setup wizard

Running the setup wizardThe Symantec Endpoint Detection and Response setup wizard guides you through the mandatory configuration steps of anall-in-one or management platform device.

During bootstrap, you assigned a static IP address to the management port of the appliance. You need this IP address toaccess the setup wizard and the EDR appliance console.

The console admin account in bootstrap is independent from the administrative account in the setup wizard.

This setup wizard logon is not available after you complete the setup wizard.

NOTE

The appliance might take a few minutes to boot and start the required services before you can run the setupwizard. If the IP address of the management port is not responsive, wait a few minutes and try again.

1. On a computer that is accessible to the appliance, open a window on a supported browser and type: https://.

For example, if you assigned the static IP address 10.20.20.20 to the appliance during bootstrap, typehttps://10.20.20.20.

NOTE

You must use the HTTPS protocol when you type the address of the setup wizard. The HTTPS protocol isrequired.

2. If the browser displays an untrusted certificate or untrusted connection warning, choose to proceed, and add anexception, if required.

The Symantec EDR web interface initially includes a self-signed certificate that can be changed to use a customer-generated certificate after the initial setup.

3. On the logon screen, type the following credentials and then click Sign In or press Enter:

User name: setup

Password: symantec

This account is deactivated when you complete the setup wizard.

4. On the Terms and Conditions screen, read the terms and conditions.

You must accept the Terms and Conditions to continue.

The data handling options are enabled by default. You may choose to uncheck these options.

35


appliance

5. Click Next.

6. Respond to the prompts on each screen to complete the mandatory configuration. Click Next to go to the next screen,or click Previous to return to a screen you completed.

The following table describes the additional prompts in the setup wizard and how to respond to them.

Upload License Click Browse to locate the license file, and select the file. When you click Next, Symantec EDRuploads the file.You must upload a license before the Symantec EDR device is functional. You cannot use SymantecEDR after initial installation without a license. No grace period exists.Obtaining a Symantec EDR license file and installing it

SMTP Settings You can enter the SMTP settings in the setup wizard, or you can check Skip adding SMTP serverconfiguration and specify the settings later in the EDR appliance console.Type the SMTP Server (fully qualified domain name is allowed) and Port number of your secure mailserver.In the Appliance Email field, type the email address where alerts, such as a license expirationnotification, are sent from.If your mail server requires a secure logon to receive messages, check Authorize. Then type a username and password that Symantec EDR can use to authenticate with the mail server.

Create an Administrativeaccount

Specify a logon name, password, display name, and user email address for the initial administratoraccount. You need this logon to complete the setup wizard.This administrator can create additional user accounts, including additional administrator accounts.

7. Click Save.

8. Click Exit to end the setup wizard and display the EDR appliance console logon screen.

status_check commandDescription: Check system status and server connectivity. This system status includes things such as management portstatus, interface status, incident and event forwarding through the network proxy, and connectivity to Symantec servers inthe cloud.

Synopsis: status_check

Option or argument: Not applicable.

Note: By default, Cynic attempts to contact the closest server to the submitting computer's location unless you enable theoption to use the U.K. Cynic Server on the Settings > Global page.

Default Cynic server: https://api.us.dmas.symantec.com

U.K. Cynic server: https://api.eu.dmas.symantec.com

36


appliance

Post-installation tasks

Completing setup tasksTasks to complete Symantec Endpoint Detection and Response installation lists the tasks that Symantec recommendsyou take immediately after you complete the preliminary Symantec Endpoint Detection and Response installation.

Click the context-sensitive help tokens in the EDR appliance console for more information about performing these tasks.

Table 12: Tasks to complete Symantec Endpoint Detection and Response installation

Task Description

Access EDR appliance console. Perform the post-installation tasks and configurations in EDR appliance console.Accessing the EDR appliance console

Configure the following settings on the Settings > Global page.Set up Synapse correlation. If SEP or Email Security.cloud protect your network, configure Synapse to correlate incident data

from these sources with Symantec EDR.If you intend to use SymantecEndpoint Protection with SymantecEDR. configure the SEPMController connection.

You can integrate Symantec Endpoint Detection and Response with Symantec EndpointProtection to:• Collect conviction events from your SEPM, and correlate them with events from your other

control points• Configure Symantec EDR to proxy reputation requests from your endpoints• Send commands to your SEPM (for example, to update your SEPM deny list)• Send commands to your endpoints (for example, to delete a file, or quarantine an endpoint)• Retrieve information from your SEPM (for example, a list of your endpoints and their online

status)• Retrieve information from your endpoints (for example, a dump of all its events)

Configure backups. Configure one or more backup schedules and locations.Configure secure access to theEDR appliance console.

Upload a certificate to encrypt EDR appliance console sessions.

For Inline Block operation, you mayalso want to customize the blockingpage.

Blocking pages are used only when you operate in Inline Block mode and scanning is turned on.When Symantec Endpoint Detection and Response blocks access to a website or prevents thedownload of a potentially malicious file, a blocking page appears. The blocking page informs theuser that the page is blocked and who to notify for more information.

Configure the following settings on the Settings > Appliance page.Configure Internal Networksettings.

When you define internal networks, you specify which computers are part of your networkand which computers belong to the world outside. With this information, Symantec EDR candistinguish between protected computers and the computers that are outside of the network.

Configure Network Proxy andEnterprise Proxy settings, ifthese proxies are present in theenvironment.

Symantec EDR supports the following types of proxy configurations:• A network proxy. Symantec EDR uses a network proxy to access the external network.• An enterprise proxy within an enterprise environment. Symantec EDR treats the traffic that

is routed to an enterprise proxy (which may have an IP address within an internal network)differently than the traffic that is routed through a network proxy.

If you use proxies, each Symantec EDR appliance, whether in CIU, standalone, or scanner role,must have the IP addresses of existing proxies.

Configure syslog serverconnections.

Connect to one or more syslog servers (a SIEM, for example) to capture and report dataexternally.

37


appliance

Task Description

Setup sandboxing services. By default, Symantec EDR submits files to Symantec’s Cynic cloud-based malware detonationsystem for analysis. However, you can keep file analysis local and submit your files to acustomer-owned, on-premises Symantec Malware Analysis appliance for detonation andanalysis.

Enable scanning After you configure the appliance settings, you'll want to enable scanning.Configure the following settings on the Settings > Users page.Add new EDR appliance consoleaccounts.

Add additional Admin, Controller, and User accounts for accessing the EDR appliance console.Tip: As a best practice, you should set up at least one additional Admin user accountimmediately after installation in case there's an issue accessing the EDR appliance console withthe initial Admin account credentials.

Configure the following settings on the Reports page.Set up reports. Set up the reports that can be generated on a daily, weekly, or monthly schedule.

Testing Symantec EDR for successful monitoring or blockingSymantec has a website that you can use to test that Symantec Endpoint Detection and Response monitors network data.

1. Open a web browser on a computer in the LAN that is connected to Symantec EDR.

2. On the Internet, go to the following URL:

http://www.broadcom.com

The Broadcom website should display normally without any messages.

3. On the Internet, go to the following URL:

http://testatp.coe.org.uk

4. Click on each of the links on the test page.

You should see a corresponding incident in the database, whether you are in Tap mode or Inline Monitor mode. Cloud-based sandboxing detections may be delayed during virtual execution.

If you are in Inline Block mode, file downloads (except the cloud-based sandbox new file submission) are interrupted.Subsequent attempts to download the same file are denied.

About operating roles, operating modes, and network connections

Testing the appliance bypass modeWhen the Symantec Endpoint Detection and Response appliance is in Inline mode, the appliance enters bypass modeif it cannot function or is turned off. In bypass mode, Internet traffic is routed through the LAN port and the WAN port, butno monitoring or blocking occurs. For bypass mode to function properly, ensure that you use the proper type of Ethernetcables to connect to the LAN. LEDs on the back of the appliances indicate bypass mode if the appliance is not turned off.

NOTE

In the bypass mode, the Ethernet cables on the LAN port and the WAN port are interconnected. You mustensure that the total length of the interconnected cables does not exceed the maximum Ethernet cablelength. The Ethernet cable length per ANSI/TIA/EIA cabling standards is 100m for Cat5e and Cat6. For moreinformation on the Ethernet cable length, refer the ANSI/TIA/EIA cabling standards.

To test the physical appliance bypass mode

1. On the left navigation pane, click Settings > Appliances, and then click on an appliance in the list.

The Appliance details page appears.

38

http://www.broadcom.comhttp://testatp.coe.org.uk


appliance

2. In the Network Interface Settings panel, click the toggle switch in the Scanning field to set scanning to the Offposition. Click Ok if a warning dialog appears asking if you are sure that you want to disable scanning.

With scanning disabled, the physical appliance should now operate in bypass mode.

3. Try to access the Internet from a computer in the LAN that the device monitors or protects.

You should be able to access the Internet. The bypass LEDs on the back of the Symantec EDR appliance should beon, but not blinking.

4. In the EDR appliance console, click Settings > Appliances, select the device from the list. Then click the toggleswitch in the Scanning field to set scanning to the On position. Click Ok if a warning dialog appears asking if you wantto proceed.

5. Test Symantec EDR to ensure that it functions properly.

Testing Symantec EDR for successful monitoring or blocking

Accessing the EDR appliance consoleAccess the EDR appliance console to configure and manage Symantec EDR and to perform threat hunting andremediation.

Access the EDR appliance console from a web browser on any client computer that can connect to the management portof your management platform or all-in-one appliance.

NOTE

To view Symantec EDR appliance pages or access the Symantec EDR console through the cloud website, youmust be connected via your company LAN or VPN, or provide Symantec EDR with a public IP address that isaccessible from the Internet. Otherwise, the following error message appears: This page can't be displayed.

If you're using self-signed certificate for your EDR installation, you must accept the certificate in your browser.

1. On the computer that can access the network that is connected to the management port, open a web browser.

2. In the web browser, type the following:

https://

Where is the address that you specified for the appliance during the bootstrap process.

For example, if the IP address that you specified for the appliance is 192.168.42.24, go to the following URL:

https://192.168.42.24

NOTE

You must use the HTTPS protocol to access the EDR appliance console.

For certain web browsers, you might must configure a certificate security exception to access the EDR applianceconsole. Typically, this step is only required at the first logon per computer per session.

3. On the Log on page, in the User name field, type the user name assigned to you by your administrator.

4. In the Password field, type your password.You are locked out after five unsuccessful attempts.

Browser requirements for the EDR appliance console

39


appliance

Appendix Materials

40


appliance

Ports, connectors, and indicators on the appliance

About appliance ports, connectors, and indicatorsPorts, connectors, and indicators on the Symantec EDR appliances describes the ports, connectors, and indicators on theback of Symantec EDR appliances.

NOTE

Connections vary between models, versions, and roles.

Connecting the cables on the S550 appliance

Table 13: Ports, connectors, and indicators on the Symantec EDR appliances

Port, connector, or indicator Description

Power Distribution Unit (PDU)(recommended)

Symantec recommends using a PDU to improve power quality, load balance, and for remotemonitoring and control.

USB port You can use this port to reimage the host using a USB stick or DVD that connects with a USBplug.

Serial port Connect the serial port to another computer to access the Serial Console character-basedinterface.

LAN/Monitor2 Ethernet port In tap mode, you may connect the Monitor2 port to the network tap device or a monitoring porton a switch for SPAN.In inline mode, connect the LAN port to a switch that is connected to your internal network.

WAN1/Monitor1 Ethernet port In tap mode, connect the Monitor1 port to the network tap device or a monitoring port on aswitch for SPAN.In inline mode, connect the WAN1 port to a switch toward your Internet connection or to yourfirewall.

LAN1/Monitor2 Ethernet port In tap mode, you may connect the Monitor2 port to the network tap device or a monitoring porton a switch for SPAN.In inline mode, connect the LAN1 port to a switch that is connected to your internal network.

WAN2/Monitor3 Ethernet port In tap mode, you may connect the Monitor3 port to the network tap device or a monitoring porton a switch for SPAN.In inline mode, connect the WAN2 port to a switch toward your Internet connection or to yourfirewall.

LAN2/Monitor4 Ethernet port In tap mode, you may connect the Monitor4 port to the network tap device or a monitoring porton a switch for SPAN.In inline mode, connect the LAN2 port to a switch that is connected to your internal network.

Management (Mgmt) Ethernet port Connect the management port to a switch that is connected to your internal network.The management port must have access to the following:• Domain Name Server (DNS)• Required Internet services

Power This connector provides power to the appliance. Your appliance may have an extra,redundant power connector.

41


appliance

Port, connector, or indicator Description

Bypass NIC LED indicators Three pairs of LED indicators appear on the bypass NIC card.The Link/Activity pair is solid green and blinks green on activity when bypass mode is off. It isoff when bypass mode is on.The Bypass pair is solid green when the appliance is running in bypass mode and is off whenbypass mode is off.The DISC pair is always off (not used).

42


appliance

Hardward specifications

Symantec S550 appliance specifications

Table 14: S550 appliance hardware specifications

Specification SKU6

CPU SkylakeXeon ® Gold 6140;24.75M Cache(CD8067303405200)2 x 18Core, 140W(2.30 GHz)

3.5" SAS HDD Internal 4 x 12TB SAS HDD2.5” SAS SSD 800GB Internal None2.5" NVMe SSD 800GB Internal NoneMemory (DDR4) LRDIMM(Load Reduced)

256GB (2666MHz)

Common Components on the Mother BoardPCH (Lewisburg-L) Intel ® C628*SSL Interface NoneNon By-pass Ethernet Ports (2x) Intel X550By-pass Ethernet Port (4x) X557 PHYSAS Controller SAS Mezzanine cardBMC (IPMC) AST2500Boot Device (SSD) 2 x SATA III

M.2 2242 SSD 64GBKey Storage Device/SPI FLASH 1x ME, 64MB; fixed image

2x 32M; re-image-ablePower Supply 2 x PSU

(BEL POWER AC1600W)System Fans; 40W 6Serial Port, Rear Serial Port, Front (not functional) 1x RJ45, RS232USB 3.0 Port, External 1AC Power cord/PSU receptacle C19/C20PCIe Carrier 1 single half height O1A 1 x M1A

1 x M2A1 x M3A

PCIe Carrier 2 single full heightx1 O2Bx1 O3AA

1 x Super Cap

43


appliance

Specification SKU6

PCIe Carrier 3 dual half heightO2BO3A

None

Super cap for Mezz card RMSP3AD160FIOC 16port Mez Card NoneROC 16port Mez Card 1RAID Controller Intel(R)IntegratedRAIDModuleRMSP3AD160LCM NoneDefault Option Cards (only one of the following delivered as Field Replaceable Unit)PE310G4BPI71-SR 1PE310G4BPI71-LR 1

44


appliance

Re-installing Symantec EDR onto the S550

Re-installing Symantec EDR onto the 550 appliance from a USB stick or DVDBefore you begin, ensure that the Symantec host is racked and the serial port is connected to a serial terminal. The serialconnection is 9600 baud, 8 bit no parity.

To perform a DVD installation | To perform a USB stick installation

To perform a DVD installation

1. Obtain an ISO image from Symantec.

2. Burn the image to a DVD.

3. Put the DVD into the DVD drive.

4. Plug the DVD drive into the USB port.

5. Boot to the device.

To boot to the device

6. Follow the installation wizard.

To follow the installer

To perform a USB stick installation7. Obtain an ISO image from Symantec.

8. Create a bootable USB stick.

• For Linux:Click the following link to learn more about how to create a bootable USB stick on Linux:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-making-usb-media

• For Mac:A. List the mounted devices.For example:List the mounted devices:

Last login: Thu Jul 5 09:13:15 on ttys001

M021204TKG3QD:Downloads john_doe$ diskutil list

/dev/disk0 (internal):

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme 500.3 GB disk0

1: EFI EFI 314.6 MB disk0s1

2: Apple_CoreStorage SymMacSOE 499.3 GB disk0s2

3: Apple_Boot Recovery HD 650.0 MB disk0s3

/dev/disk1 (internal, virtual):


0: Apple_HFS SymMacSOE +499.0 GB disk1

Logical Volume on disk0s2

DDDDFDA9-6016-4FD7-8815-B4C1D7190788

45

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-making-usb-mediahttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-making-usb-media


appliance

Unlocked Encrypted

/dev/disk2 (disk image):


0: Apple_partition_scheme +24.2 MB disk2

1: Apple_partition_map 32.3 KB disk2s1

2: Apple_HFS Flash Player 24.2 MB disk2s2

/dev/disk3 (external, physical):


0: GUID_partition_scheme *2.0 TB disk3


2: Apple_HFS BackupMcBackface 2.0 TB disk3s2



0: CDROM *15.9 GB disk4

In this example, the USB stick is /dev/disk4.

B. Unmount the device.For example:M021204TKG3QD:Downloads john_doe$ diskutil unmountDisk /dev/disk4

Unmount of all volumes on disk4 was successful

C. Write ISO image onto the USB stick.In this example, the USB stick is on /dev/disk4.M021204TKG3QD:Downloads john_doe$ sudo dd if=./ATP-4.0.0-3.iso of

=/dev/disk4 bs=1m

Password:

2390+1 records in

2390+1 records out

2506612736 bytes transferred in 776.888341 secs (3226477 bytes/sec)

The process of writing remounts the volume.

D. Unmount the volume so that you can remove the device.For example:M021204TKG3QD:Downloads john_doe$ diskutil list

/dev/disk0 (internal):

#: TYPE NAME SIZE IDENTIFIED

0: GUID_partition_scheme 500.3 GB disk0


2: Apple_CoreStorage SymMacSOE 499.3 GB disk0s2

3: Apple_Boot Recovery HD 650.0 MB disk0s3

46


appliance

/dev/disk1 (internal, virtual):


0: Apple_HFS SymMacSOE +499.0 GB disk1

Logical Volume on disk0s2

DDDDFDA9-6016-4FD7-8815-B4C1D7190788

Unlocked Encrypted

/dev/disk2 (disk image):


0: Apple_partition_scheme +24.2 MB disk2

1: Apple_partition_map 32.3 KB disk2s1

2: Apple_HFS Flash Player 24.2 MB disk2s2



0: GUID_partition_scheme *2.0 TB disk3


2: Apple_HFS BackupMcBackface 2.0 TB disk3s2



0: CDROM *15.9 GB disk4

M021204TKG3QD:Downloads john_doe$ diskutil unmountDisk /dev/disk4

Unmount of all volumes on disk4 was successful

9. Plug the USB stick into the USB port.

10. Boot to the device.


11. Follow the installer.

To follow the installer


This procedure is the same for DVD or USB stick.12. Press CTRL-D at the beginning of the BIOS. This task puts the USB device first in the boot order and the HDD

second.

13. To switch from customer mode, type the password manuok.

14. In the confirmation dialog, type Y (for

Date post:	05-Feb-2021
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times

Guide for the S550 appliance Symantec Endpoint Detection ......The minimum SEPM version is 12.1 RU6...

Documents